Schrems II and Your Academic Software Stack
You picked a LaTeX editor because it compiled fast and your co-authors could edit at the same time. You did not sign up to think about a 2020 ruling from the Court of Justice of the European Union. Yet Schrems II is the reason your university’s IT office might quietly refuse to approve the US-hosted tool you have been using for three years. This is the relatable version of what happened, why it touches the everyday software academics rely on, and how EU-only hosting makes the whole problem disappear.
The thirty-second history
Max Schrems is an Austrian lawyer who spent a decade challenging how personal data flows from Europe to the United States. He won twice. The first case (Schrems I, 2015) killed the “Safe Harbor” framework. The second, in July 2020, is the one that matters here.
In Schrems II, the Court of Justice of the European Union invalidated the EU-US Privacy Shield, the legal mechanism thousands of American companies used to receive EU personal data. The court’s reasoning was blunt: US surveillance law (notably FISA Section 702 and Executive Order 12333) lets American intelligence agencies access data held by US providers in ways that EU citizens cannot meaningfully challenge in court. That conflicts with the protections GDPR promises. So the transfer mechanism fell.
The court did not ban transfers outright. It said you can still use standard contractual clauses (SCCs), but only after assessing whether the destination country actually protects the data, and adding “supplementary measures” if it does not. For the US, that assessment is hard to pass, because no contract between two companies can override what a government surveillance law permits.
Why this lands on your desk
Here is the part academics underestimate. Schrems II is not an abstract problem for tech giants. It applies the moment EU personal data crosses to a US provider, and your academic software stack is full of those crossings.
Think about a normal week:
- A collaborative writing tool storing your manuscript, your co-authors’ names, and their institutional emails.
- A reference manager syncing your library to a US cloud.
- A survey platform holding respondent data.
- A cloud drive with your thesis chapters.
If any of those vendors stores or processes data in the US, or is a US company that could be compelled to hand data over, you are making a third-country transfer. Under GDPR that transfer needs a lawful basis, and after Schrems II the easy basis is gone. Your data protection officer knows this, which is why procurement keeps asking the same question: where does the data actually live?
The “Data Privacy Framework” and why it didn’t end the story
In 2023 the European Commission adopted a new adequacy decision: the EU-US Data Privacy Framework (DPF). It was meant to be the durable replacement for Privacy Shield. For now, certified US companies can again receive EU data.
Treat that as a temporary calm, not a settled answer. The DPF is built on the same kind of foundation that the court struck down twice. Max Schrems has already signalled a challenge, and most EU data protection authorities advise controllers to keep doing transfer impact assessments rather than assume the framework will hold. If a “Schrems III” invalidates the DPF, every institution that leaned on it scrambles overnight. We walk through that exposure in more depth in our compliance overview.
The strategic lesson is simple. A legal mechanism that can be revoked by a court is not a foundation you want under your unpublished research.
There is a pattern here worth naming. Safe Harbor lasted fifteen years before Schrems I struck it down. Privacy Shield lasted four before Schrems II. Each replacement has had a shorter shelf life and faced a faster challenge, because the underlying tension never went away: US surveillance law and EU fundamental rights are pointing in different directions, and a commercial agreement between two companies cannot reconcile them. Until US law changes, every adequacy decision built on top of it inherits the same crack. Betting your institution’s compliance on the next one holding is a bet against a fairly consistent track record.
How EU-only hosting removes the risk entirely
Notice the shape of the problem. Every Schrems II headache comes from data leaving the EU. Transfer impact assessments, SCCs, supplementary measures, DPF certification, the whole apparatus exists to manage a transfer. Remove the transfer and you remove the apparatus.
That is the entire argument for an EU-hosted academic software stack. If your LaTeX editor stores everything on EU soil and never sends it to a third country, there is no transfer to assess, no Privacy Shield to lose, no DPF to fret over. The risk does not get managed. It stops existing.
This is the design choice behind inscrive.io.
| US-hosted tool | inscrive.io | |
|---|---|---|
| Data location | US or mixed | Germany and Finland only |
| Transfer mechanism needed | SCCs / DPF | None |
| Schrems II exposure | Yes | No |
| Signed DPA | Sometimes | Yes (Organizations) |
| Independent audit | Varies | Yes |
inscrive hosts with Hetzner in Germany and Finland, in ISO 27001-certified data centres, with 100% EU data residency and no third-country transfers. There is a signed DPA for institutional customers and an independent inspection report behind the security claims. And inscrive never uses your documents to train AI models, so your work is not quietly feeding a system you cannot audit. (More on that in is your writing tool training AI on your unpublished research.)
It is worth being clear that this is a structural property, not a paid add-on. inscrive is freemium, and the EU-only hosting applies on the Free plan (€0, up to 10 active projects, unlimited collaborators) exactly as it does on Pro and Organizations. You do not have to reach the institutional tier to get data that never leaves the EU. The signed DPA is the piece that lives on the Organizations plan, because a DPA is a contract an institution signs centrally, but the underlying “no transfer ever happens” fact is the same for a solo PhD student on the free tier and a 500-seat department.
A note on what “US-owned” really triggers
One subtlety trips people up. The risk is not only about where servers physically sit. A US-headquartered company can host your data in a Frankfurt data centre and still fall under US jurisdiction, which means laws like the CLOUD Act can compel it to produce data regardless of physical location. So “our servers are in Europe” from a US vendor is necessary but not always sufficient. What removes the ambiguity is an EU-based company hosting on EU soil, with no parent in a third country that can be served a production order. That is the combination that makes the transfer question genuinely moot rather than merely well-managed.
What to do this month
You do not need to rip out your stack tomorrow. You do need to know where you stand.
- Inventory the transfers. List the cloud tools holding any personal data (collaborator details count) and note where each one hosts.
- Flag the US-hosted ones. Those are your Schrems II exposure. Ask each vendor for their current transfer basis.
- Check the DPF dependency. If a vendor’s only answer is “we’re DPF certified,” recognise that as a single point of failure tied to a contestable adequacy decision.
- Prefer EU-only where it’s painless to switch. Writing tools are unusually easy to migrate, and the compliance upside is large.
For the procurement-side questions worth asking a vendor, our piece on why your LaTeX tool needs a signed DPA has a checklist, and the inscrive GDPR page lays out the hosting specifics.
The takeaway
Schrems II is not lawyer trivia. It is the reason a perfectly good US-hosted tool can become un-approvable for an EU institution, and the reason the Data Privacy Framework is more reprieve than resolution. The durable fix is structural: keep the data in the EU and the transfer problem never arises. For something as portable as a LaTeX editor, that is a switch worth making before a court forces the question.
inscrive.io stores your research in Germany and Finland, never transfers it to a third country, and never trains AI on it. Start writing, it’s free, and read the GDPR page for the full picture.
